退换货加csrf

王水玲
Commit 9e48be468014448cce7dfe543cabc17ecb5b8c69 1 parent 6254fab9
Showing 3 changed files with 6 additions and 4 deletions
apps/home/router.js
apps/home/views/action/returns/returns-apply.hbs
public/js/home/returns-apply.js
--- a/apps/home/router.js
View file @9e48be4
+++ b/apps/home/router.js
View file @9e48be4
@@ -88,12 +88,12 @@ router.get('/message/pickCoupon', messageController.pickCoupon);
 
 // 我的退/换货
 router.get('/returns', tabsMiddleware.getCommonHeader, returnsController.index);
- router.get('/returns/refundrequest', tabsMiddleware.getCommonHeader, returnsController.refundApply);// 退货申请
- router.post('/returns/saveRefund', tabsMiddleware.getCommonHeader, returnsController.saveRefund);// 提交退货
+ router.get('/returns/refundrequest', csrf, tabsMiddleware.getCommonHeader, returnsController.refundApply);// 退货申请
+ router.post('/returns/saveRefund', csrf, tabsMiddleware.getCommonHeader, returnsController.saveRefund);// 提交退货
 router.get('/returns/refundSuccess', tabsMiddleware.getCommonHeader, returnsController.refundSuccess);// 退货成功
 router.get('/returns/refundDetail', tabsMiddleware.getCommonHeader, returnsController.refundDetail);// 退货详情
- router.post('/returns/saveExchange', tabsMiddleware.getCommonHeader, returnsController.saveExchange);// 提交退货
- router.get('/returns/exchangerequest', tabsMiddleware.getCommonHeader, returnsController.exchangeApply);// 换货申请
+ router.post('/returns/saveExchange', csrf, tabsMiddleware.getCommonHeader, returnsController.saveExchange);// 提交退货
+ router.get('/returns/exchangerequest', csrf, tabsMiddleware.getCommonHeader, returnsController.exchangeApply);// 换货申请
 router.get('/returns/exchangeSuccess', tabsMiddleware.getCommonHeader, returnsController.exchangeSuccess);// 换货成功
 router.get('/returns/exchangeDetail', tabsMiddleware.getCommonHeader, returnsController.exchangeDetail);// 换货详情
 router.post('/returns/getDelivery', tabsMiddleware.getCommonHeader, returnsController.getDelivery);// 获取换货方式
--- a/apps/home/views/action/returns/returns-apply.hbs
View file @9e48be4
+++ b/apps/home/views/action/returns/returns-apply.hbs
View file @9e48be4
@@ -11,6 +11,7 @@
             {{> swindle-info}}
 
             <div class="apply-container">
+                 <input type="hidden" name="_csrf" value="{{csrfToken}}">
                 {{# exchange}}
                     <div class="return-prompt">
                         换货须知：<br>
--- a/public/js/home/returns-apply.js
View file @9e48be4
+++ b/public/js/home/returns-apply.js
View file @9e48be4
@@ -609,6 +609,7 @@ function loadWaiting(status) {
 }
 
 function saveRefundExchange(url, data) {
+     data._csrf = $('input[name=_csrf]').val();
     loadWaiting(true);
     $.ajax({
         type: 'POST',